cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
935
Views
0
Helpful
3
Replies

Cannot select URL-filtering on FireSight with Activated License

chrtveen1
Level 1
Level 1

Hi community

I've got a FireSight 6.0 VM with 4 FirePower modules enabled from four ASA 5506-X devices.

They are all updated to FirePower 6.0 and in FireSight I have an activated license:

License

Under device management for a FirePower I still cannot select URL filtering:

URL filtering

What to do?

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

The no-cost permanent Control (CTRL) license is a prerequisite for any of the term-based subscription licenses. The PAK It should have been included with the ASAs.

If it wasn't your partner (or the TAC) can call it up from the sales order and you can then redeem it for a license. 

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

The no-cost permanent Control (CTRL) license is a prerequisite for any of the term-based subscription licenses. The PAK It should have been included with the ASAs.

If it wasn't your partner (or the TAC) can call it up from the sales order and you can then redeem it for a license. 

Thank you very much :) It works!

I haven't been able to find any documentation on this, is this supposedly common knowledge?

You're welcome.

It is documented, although I admit it's not an obvious thing to check. It's the kind of mistake you make once - I certainly did. :).

See, for example column three of the table below (although they have it mixed around - it should say the Control license).

Table 34-1 ASA FirePOWER Module Licenses

License
Granted Capabilities
Requires

Protection

intrusion detection and prevention

file control

Security Intelligence filtering

none

Control

user and application control

Protection

Malware

advanced malware protection (network-based malware detection and blocking)

Protection

URL Filtering

category and reputation-based URL filtering

Protection

It comes from here: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html

Also see http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Licensing_the_Firepower_System.html#ID-2240-00000035 which states:

"Although you can configure an access control policy to perform Protection-related inspection without a license, you cannot deploy the policy until you first add a Protection license to the Firepower Management Center, then enable it on the devices targeted by the policy.

If you delete your Protection license from the Firepower Management Center or disable Protection on managed devices, the Firepower Management Center stops acknowledging intrusion and file events from the affected devices. As a consequence, correlation rules that use those events as a trigger criteria stop firing. Additionally, the Firepower Management Center will not contact the internet for either Cisco-provided or third-party Security Intelligence information. You cannot re-deploy existing policies until you re-enable Protection.

Because a Protection license is required for URL Filtering, Malware, and Control licenses, deleting or disabling a Protection license has the same effect as deleting or disabling your URL Filtering, Malware, or Control license."

Review Cisco Networking for a $25 gift card